diff options
| author | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2015-11-08 09:03:55 +0000 |
|---|---|---|
| committer | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2015-11-08 09:03:55 +0000 |
| commit | 4a254b6f0663ae86c7f141e95933c8e03dacbaac (patch) | |
| tree | b4e0f792b8206431ac188bb1f3ff2107bd092703 | |
| parent | 88fcb8c3f9cf28b9b56fc42fa6924d34757404a1 (diff) | |
| download | redmine-4a254b6f0663ae86c7f141e95933c8e03dacbaac.tar.gz redmine-4a254b6f0663ae86c7f141e95933c8e03dacbaac.zip | |
Backported r14796 (#21150).
git-svn-id: http://svn.redmine.org/redmine/branches/2.6-stable@14840 e93f8b46-1217-0410-a6f0-8f06a7374b81
| -rw-r--r-- | app/models/time_entry.rb | 13 | ||||
| -rw-r--r-- | app/views/timelog/_form.html.erb | 4 | ||||
| -rw-r--r-- | test/functional/timelog_controller_test.rb | 17 |
3 files changed, 29 insertions, 5 deletions
diff --git a/app/models/time_entry.rb b/app/models/time_entry.rb index b5ca2bbc1..c60783708 100644 --- a/app/models/time_entry.rb +++ b/app/models/time_entry.rb @@ -80,9 +80,14 @@ class TimeEntry < ActiveRecord::Base def safe_attributes=(attrs, user=User.current) if attrs attrs = super(attrs) - if issue_id_changed? && attrs[:project_id].blank? && issue && issue.project_id != project_id - if user.allowed_to?(:log_time, issue.project) - self.project_id = issue.project_id + if issue_id_changed? && issue + if issue.visible?(user) && user.allowed_to?(:log_time, issue.project) + if attrs[:project_id].blank? && issue.project_id != project_id + self.project_id = issue.project_id + end + @invalid_issue_id = nil + else + @invalid_issue_id = issue_id end end end @@ -96,7 +101,7 @@ class TimeEntry < ActiveRecord::Base def validate_time_entry errors.add :hours, :invalid if hours && (hours < 0 || hours >= 1000) errors.add :project_id, :invalid if project.nil? - errors.add :issue_id, :invalid if (issue_id && !issue) || (issue && project!=issue.project) + errors.add :issue_id, :invalid if (issue_id && !issue) || (issue && project!=issue.project) || @invalid_issue_id end def hours=(h) diff --git a/app/views/timelog/_form.html.erb b/app/views/timelog/_form.html.erb index 1f350809d..9399767d1 100644 --- a/app/views/timelog/_form.html.erb +++ b/app/views/timelog/_form.html.erb @@ -13,7 +13,9 @@ <% end %> <p> <%= f.text_field :issue_id, :size => 6 %> - <span id="time_entry_issue"><%= "#{@time_entry.issue.tracker.name} ##{@time_entry.issue.id}: #{@time_entry.issue.subject}" if @time_entry.issue.try(:visible?) %></span> + <% if @time_entry.issue.try(:visible?) %> + <span id="time_entry_issue"><%= "#{@time_entry.issue.tracker.name} ##{@time_entry.issue.id}: #{@time_entry.issue.subject}" %></span> + <% end %> </p> <p><%= f.text_field :spent_on, :size => 10, :required => true %><%= calendar_for('time_entry_spent_on') %></p> <p><%= f.text_field :hours, :size => 6, :required => true %></p> diff --git a/test/functional/timelog_controller_test.rb b/test/functional/timelog_controller_test.rb index 44e1a3a34..54a69b7ba 100644 --- a/test/functional/timelog_controller_test.rb +++ b/test/functional/timelog_controller_test.rb @@ -163,6 +163,23 @@ class TimelogControllerTest < ActionController::TestCase assert_equal 3, t.user_id end + def test_create_on_issue_that_is_not_visible_should_not_disclose_subject + issue = Issue.generate!(:subject => "issue_that_is_not_visible", :is_private => true) + assert !issue.visible?(User.find(3)) + + @request.session[:user_id] = 3 + assert_no_difference 'TimeEntry.count' do + post :create, :time_entry => { + :project_id => '', :issue_id => issue.id.to_s, + :activity_id => '11', :spent_on => '2008-03-14', :hours => '7.3' + } + end + assert_error_tag :content => /Issue is invalid/ + assert_select "input[name=?][value=?]", "time_entry[issue_id]", issue.id.to_s + assert_select "#time_entry_issue", 0 + assert !response.body.include?('issue_that_is_not_visible') + end + def test_create_and_continue_at_project_level @request.session[:user_id] = 2 assert_difference 'TimeEntry.count' do |